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Abstract. In 1SNN'04, a novel symmetric cipher was proposed, by com- 
bining a chaotic signal and a clipped neural network (CNN) for en- 
cryption. The present paper analyzes the security of this chaotic cipher 
against chosen-plaintext attacks, and points out that this cipher can be 
broken by a chosen-plaintext attack. Experimental analyses are given to 
support the feasibility of the proposed attack. 



1 Introduction 

Since the 1990s, the study of using chaotic systems to design new ciphers has 
become intensive [Ij. In particular, the idea of combining chaos and neural net- 
works has been developed [2], [3], [4], [5] and has been adopted for image and 
video encryption [5], [7]. In our recent work [5], it has been shown that the 
chaotic ciphers designed in [5], [3], 0], [5], [7] are not sufficiently secure from a 
cryptographical point of view. 

This paper focuses on the security of a clipped-neural-network-based chaotic 
cipher proposed in ISNN'04 |5j. This chaotic cipher employs a chaotic pseudo- 
random signal and the output of a 8-cell clipped neural network to mask the 
plaintext, along with modulus additions and XOR operations. Also, the evolu- 
tion of the neural network is controlled by the chaotic signal. With such a com- 
plicated combination, it was hoped that the chaotic cipher can resist chosen- 
plaintext attacks. Unfortunately, our analysis shows that it is still not secure 
against chosen-plaintext attacks. By choosing only two plaintexts, an attacker 
can derive an equivalent key to break the cipher. This paper reports our analyses 
and simulation results. 



This paper has been published in Advances in Neural Networks C ISNN 2005: Second 
International Symposium on Neural Networks, Chongqing, China, May 30 - June 1, 
2005, Proceedings, Part II (ISNN 2005), Lecture Notes in Computer Science, vol. 

3497, pp. 630-636. 
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The rest of the paper is organized as follows. Section [2] is a brief introduc- 
tion to the chaotic cipher under study. The proposed chosen-plaintext attack is 
described in detail in Sec. [31 with some experimental results. The last section 
concludes the paper. 



2 The CNN-Based Chaotic Cipher 

First, the CNN employed in the chaotic cipher is introduced. The neural network 
contains 8 neural cells, denoted by 5*0, •• • ,87 G {1,-1}, and each cell is con- 
nected with other cells via eight synaptic weights Wij € {1, 0, —1}, among which 
only three are non-zeros. The synaptic weights between two connected cells are 
identical: W i, j = ^ 7, Wij = Wji. The neural network evolves according to the 
following rule: V i = 7, 

I 1 c ^ n 

(1) 




where Si = X)j=o ^ij^o- Note that S'i 7^ holds at all times. 

Now, let us see how the chaotic cipher works with the above CNN. With- 
out loss of generality, assume that / = {/(j)}£o^ is the plaintext signal, where 
f{i) denotes the i-th plain-byte and N is the plaintext size in byte. Accordingly, 
denote the ciphertext by /' = {/'(«)}^o^' where /'(«) is a double-precision 
floating-point number corresponding to the plain-byte f{i). The encryption pro- 
cedure can be briefly depicted as foUowfQ. 

— The secret key includes the initial states of the 8 neural cells in the CNN, 
S'o(O), • • • , iS'7(0), the initial condition x(0), and the control parameter r of 
the following chaotic tent map: 

^ |rx, < . < 0.5 , 

|r(l -x), 0.5 < x < 1 , ^ ' 

where r should be very close to 2 to ensure the chaoticity of the tent map. 

— The initial procedure: 1) in double-precision floating-point arithmetic, run 
the tent map from x(Q) for 128 times before the encryption starts; 2) run 
the CNN for 128/8 — 16 times (under the control of the tent map, as dis- 
cussed below in the last step of the encryption procedure); 3) set a;(0) and 
S'o(O), • • ■ , 5*7(0) to be the new states of the tent map and the CNN. 

— The encryption procedure: for the i-th plain-byte /(i), perform the following 
steps to get the ciphertext f'{i): 

• evolve the CNN for one step to get its new states: S'o(i), • ■ • , S'7(«); 

• in double-precision floating-point arithmetic, run the chaotic tent map 
for 8 times to get 8 chaotic states: x{^i -|- 0), • • • , x{Si + 7); 



^ Note that some original notations used in ^ have been changed in order to provide 
a better description. 



• generate 8 bits by extracting the 4-th bits of the 8 chaotic states: b{8i + 
0), • • • , b{8i + 7), and then V j = - 7, set Ej = 2 ■ b{8i + j) - 1; 

• encrypt f{i) as foUow^: 



/.(0.((/(!)j|M + .(8. + 7)).„dl) , (3) 

where = (M±i)^2'-> ; 

• y i = ^ 7, ii Si ^ Ei, update all the three non-zero weights of the 
z-th neural cell and the three mirror weights as follows: Wij = —Wij, 

— The decryption procedure is similar to the above one with the following de- 
cryption formula: 

f{i) ^ (256 • ((/'(i) - x{8i + 7)) mod 1)) ® B{i) . (4) 



3 The Chosen-Plaintext Attack 

In chosen-plaintext attacks, it is assumed that the attacker can intentionally 
choose a number of plaintexts to try to break the secret key or its equivalent 
[9]. Although it was claimed that the chaotic cipher under study can resist this 
kind of attacks [5, Sec. 4], our cryptanalysis shows that such a claim is not true. 
By choosing two plaintexts, /i and /2, satisfying Vi = 0~A^ — 1, = /2(*)) 
one can derive two masking sequences as equivalent keys for decryption. 

Before introducing the chosen-plaintext attack, three lemmas are given, which 
are useful in the following discussions. 

Lemma 1. Va, 6, c G M, c 7^ and n G Z+, if a ~ (6 mod c), one has a ■ n = 
{{h ■ n) mod (c • n)). 

Proof. From a = (b mod c), one knows that BkElj, b = c-k + a and < a < c. 
Thus, V n G Z+, b-n — c-n-k + a- n and < a ■ n < c ■ n, which immediately 
leads to a • n = {{b-n) mod (c • n)) and completes the proof of this lemma. □ 

Lemma 2. ya,b,c,n G M and < a,b < n, if c ^ {{a — b) mod n), one has 
a ~ b ^ {c, c — n}. 

Proof. This lemma can be proved under two conditions, i) When a > 6, it is 
obvious that {{a — b) mod n) = a — b — c. ii) When a < b, {{a — b) mod n) = 
{{n + a — b) mod n). Since ~n < a — b < 0, one has 0<n + a — b<n, which 
means that {{a — b) mod n) = n + a — b = c. That is, a — b = c — n. Combining 
the two conditions, this lemma is thus proved. □ 

Lemma 3. Assume that a, b are both 8-bit integers. If a — b (S 128, then a = 
(6-f 128) (mod 256). 

^ In [5], a;(8i -|- 7) was mistaken as x(8). 



Proof. This lemma can be proved under two conditions, i) When < a < 128: 
6 = a e 128 = a + 128, so a = (6 + 128) (mod 256). ii) When 128 < a < 255: 
6 = a e 128 = a - 128, so a = (6 - 128) = {b + 128) (mod 256). □ 

From Lemma [U one can rewrite the encryption formula Eq. ([3]) as follows: 

256 • /'(i) = (((/(i) ©B(i)) + 256 •a;(8i + 7)) mod 256) . (5) 

Given two plain-bytes /i(i) ^ /2(i) and the corresponding cipher-blocks /{(i), /2(i), 
onehas 256-(/{(i)-/^(i)) = ((/i(i) ® B(i)) - {f2{i) ® B{i))) (mod 256). With- 
out loss of generality, assume that f[{i) > /2(*) and that Af-^ ^ — 256 • (/((«) — 
/2(i)). It is true that < Z\/i ^ < 256. Thus, one has 

^/i,. - © B{t)) - (hit) © Bm mod 256) . (6) 

Because fi{i) © B{i) and f2{i) © B{i) are 8-bit integers and Af-^ ^ 0> from 
Lemma m one of the following facts is true: 

1. (hit) (BB{t))-{f2{t)® B{i)) = Af,^, €{!,■■■ ,255} ; (7a) 

2. (Ml) © Bit)) ~ (/i(z) © 5(0) = (256 - Z\/,,,) G {1, • • • , 255} . (7b) 

For the above two equations, when fi{i) = /2(i) is satisfied, two possible values 
of B(i) can be uniquely derived according to the following theorem. 

Theorem 1. Assume that a,b,c,x are all 8-bit integers, and c > 0. If a = 
b, then the equation (a © a;) — (6 © x) = c has an unique solution x — a (B 
(1, C7, • ■ • , ci)2, where c = (cy, • • ■ ,00)2 = Z^Lo ' 2*- 

Proof. Since a = b, one has b (B x = a (S x. Thus, by substituting y — a® x and 
y — a®x — b®x into (a © x) — (6 © a;) = c, one can get y — y — c, which is 
equivalent to y — y + c. Let y — X]I=o 2/* ' 2*, and consider the following three 
conditions, respectively. 

1) When i = 0, from yo = (2/0 + co) (mod 2), one can immediately get cq = 1. 
Note the following two facts: i) when ?/o = 0, yo -l-co = 2, a carry bit is generated 
for the next bit, so yi = (yi -|- ci -|- 1) (mod 2) and ci = 0; ii) when yo = 1, 
yo -I- Co = 1 , no carry bit is generated, so yi = (yi + ci) (mod 2) and ci = 1. 
Apparently, it is always true that ?/o = ci. Also, a carry bit is generated if ci = 
is observed. 

2) When i = 1, if there exists a carry bit, set = ci + 1 G {1, 2}; otherwise, 
set c\ = ci G {0,1}. From yi = {yi + c'{) (mod 2), one can immediately get 
c'l — 1. Then, using the same method shown in the first condition, one has 
2/1 = C2 and knows whether or not a carry bit is generated for i = 2. Repeat the 
above procedure for z = 2 ^ 6, one can uniquely determine that yi = Ci+i. 

3) When i = 7, it is always true that the carry bit does not occur, so Cy = 1, 
and 2/7 = 1. 

Combining the above three conditions, one can get y — (1, C7, ■ • ■ , 01)2, which 
results in a; = a © (1, C7, • ■ • , 01)2. □ 



Assume that the two values of B{i) derived from Eqs. (|7ap and (j7b[) are -Bi(z) 
and B2{i), respectively. The following corollary shows that the two values have 
a deterministic relation: i?2(*) — Bi{i) 128. 

Corollary 1. Assume that a,b,c,x are all 8-bit integers, a = b and c > 0. Given 
two equations, {a (B x) — {b (B x) — c and (6 © x') — (a © x') — c' , if c' = 256 — c, 
then x' ^ x(S 128. 

Proof. Since c + c — 255, one has c' — 256 — c = c + 1. Let c = X]I=o ' ^'^'^ 
observe the first condition of the proof of Theorem [TJ One can see that cq = 1, 
so Cq = Co + 1 = 1. Since there is no carry bit, one can deduce that Vi = 1 ~ 7, 
c[ = Ci. Applying Theorem [1] for (a © x) — (6 © x) = c, one can uniquely get 
X — a© (1, cj, • • • , ci)2. Then, applying Theorem[T]for {b(Bx') — {a(Bx') — c', one 
has x' = 6 © (1, Cy, • • • , c[)2 = a © (1, C7, • • • , 01)2 — (07, ae © C7, • • • , ao © 01)2 = 
(07, ae © C7, • • • , ao © 01)2 = a © (1, C7, • • • , 01)2 © (1, 0, • • • , 0)2 = a; © 128. Thus, 
this corollary is proved. □ 

For any one of the two candidate values of B{i), one can further get an 
equivalent chaotic state x{8i + 7) from B{i), f{i) and f'{i) as follows: 

x{&i + 7) = 256 • f'{i) - {f{i) © B{i)) = 256 • x{8i + 7) (mod 256) . (8) 

With B{i) and x{8i + 7), the encryption formula Eq. ([3]) becomes 



Assume that xi{8i + 7) and X2{8i + 7) are calculated by Eq. from Bi{i) 
and B2{i), respectively. Then, we have the following proposition. 

Proposition 1. {Bi{i), xi{8i + 7)) and {B2{i), £2(81 + 7)) are equivalent for the 
above encryption procedure Eq. 0), though only one corresponds to the correct 
value generated from the secret key. That is, 

((/(j) © Bi{i)) + xi{8i + 7)) = ((/(i) © B2{i)) + X2{8i + 7)) (mod 256) . 

Proof From Bi{i) = B2{i) © 128, one has f{i) © Bi{i) {f{i) © B2(i) © 128). 
Then, following Lemma H it is true that (/(i) © Bi{i)) = {{f{i) © ^2(0) + 
128) (mod 256). As a result, xi{8i + 7) = (256 • f'{i) - {f{i) © Bi{i))) = 
(256 •/'(i)-((/(i)© -82(0) -128)) (mod 256) = (^2(8^ + 7) + 128) (mod 256), 
which immediately leads to the following fact: ((/(«) © Bi{i)) + xi{8i + 7)) = 
((/(*) ® ^2(0) + S:2{8i + 7)) (mod 256). Thus, this proposition is proved. □ 



((/(i) © B{i)) + x{8i + 7)) mod 256 
256 



(9) 



and the decryption formula Eq. @ becomes 



f{i) = ((256 • f'{i) - x{8i + 7)) mod 256) © B{i) . 



(10) 



Considering the symmetry of the encryption and decryption procedures, the 
above proposition immediately leads to a conclusion that {Bi{i), xi{8i + 7)) and 
{B2{i),X2{8i + 7)) are also equivalent for the decryption procedure Eq. pO|) . 



From the above analyses, with two chosen plaintexts /i and /2 — fi, one 
can get the following two sequences: {Bi{i),xi{8i + 7)}^q^ and {i?2(j), £2(81 + 
7)}^Q^. Given a ciphertext /' = {/'(«)}fc=o^' V z = ~ A^ — 1, one can use either 
(-Bi(z), xi(8i + 7)) or {B2{i),X2{Si + 7)) as an equivalent of the secret key to 
decrypt the i-th plain-byte /(«), following Eq. (fTO)l . This means that the chaotic 
cipher under study is not sufficiently secure against the chosen-plaintext attack. 

To demonstrate the feasibility of the proposed attack, some experiments have 
been performed for image encryption, with secret key r = 1.99, a;(0) = 0.41 
and [5'o(0), • ■ • , 5*7(0)] = [1, —1, 1, —1, 1, —1, 1, —1]. One plain-image "Lenna" of 
size 256 x 256 is chosen as /i and another plain-image is manually generated 
as follows; /2 = fi- The two plain- images and their cipher- images are shown 
in Fig. [T] With the two chosen plain-images, two sequences, {Bi{i), xi{8i + 
7)|256x256-i ^^^^ {^2(0, X2{8i + 7)y^il''^^^-\ are generated by using the above- 
mentioned algorithm. The first ten elements of the two sequences are given in 
Tabled V« = ~ (256x256-1), either (Bi(i),xi(8i-H7)) or (B2(j), ^2(8^ 7)) 
can be used to recover the plain-byte /(«). As a result, the whole plain-image 
("Peppers" in this test) can be recovered as shown in Fig. [1]:. 



Table 1. The first ten elements of {Bi{i),xi{8i + 7)}^i^''2^^"^ and 
{B2{i),X2{8z + 7)}Zf'-' 



i 





1 


2 


3 


4 


5 


6 


7 


8 


9 


Bi{i) 


146 


231 


54 


202 


59 


243 


166 


173 


233 


82 


B2{t) 


18 


103 


182 


74 


187 


115 


38 


45 


105 


210 


xi(8i + 7) 


242.40 


38.63 


242.62 


222.09 


81.03 


214.73 


240.91 


203.59 


138.20 


9.33 


:r2(8i + 7) 


114.40 


166.63 


114.62 


94.09 


209.03 


86.73 


112.91 


75.59 


10.20 


137.33 



4 Conclusion 

In this paper, the security of a chaotic cipher based on clipped neural network 
has been analyzed in detail. It is found that the scheme can be effectively broken 
with only two chosen plain-images. Both theoretical and experimental analyses 
have been given to support the proposed attack. Therefore, this scheme is not 
suggested for applications that requires a high level of security. 
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